Chaos Corona Forum
Chaos Corona for 3ds Max => [Max] General Discussion => Topic started by: racoonart on 2015-02-26, 11:42:21
-
two questions about licensing
1) I've successfully activated the license server in our network here running my own license(s). Now, what happens when the company buys additional licenses on another user account (different login credentials). Is there a way to add it to the current license server?
2) Is there a way to see how many licenses are currently used by which machines? If a workstation license is locked I'd want to be able to see which machine is using it.
-
#1: this is currently not possible, there may be something as setting license server IP on client, or whitelisting IPs on server in the future. You can however get around it with creative use of firewall
#2: this is currently not possible to view, sorry
-
Ok, thanks. So there is some space for improving the lic server in future versions ;)
Another very important point for me would be encrypted login data storage, for the lic server as well as for directly activated workstations/slaves. Currently everyone in the network could grab the txt with the login data and stop my subscription or add licenses online.
-
some level of encryption can be done, but in the end, everything that is supposed to work automatically WILL be crack-able/extract-able.
-
It's not about people trying to crack it, they will be able to do it anyways. It's just not a good idea to share my login details with everyone in the network (or who has access to a workstation or render slave) - for example student 2-week-interns. Someone can grab the info and activate his machine somewhere else and I can't do anything about it, I won't even notice since I'm not able to see where licenses are used.
Simple encryption keeps 99,99% of people locked out of my online account and costs almost nothing.
-
It's actually even worse. One who opens the file and grabs the login data can easily get to customer zone, log in, cancel any plans and also freely change the login password (which is used on computers as well), since password change does not even prompt for current password.
-
Yes, I forgot that I could even change the password. That's quite a problem... but even if it would prompt for the current password, those people already used it for login anyways :D
-
Well, now we need to convince Ondra it's really a problem :)
-
I hoped we already did O__o
-
Guys, maybe we should hide this discussion somewhere. :D
-
ok, so to clarify:
1) Most important: if a computer can activate license without you putting in the password, then the password can be extracted. Encrypting won't work since the encryption key would have to be also stored locally. BFU might not be able to do it on his own, but somebody could do a BFU-friendly application for that. Always bear that in mind. The only safe way is to use Box license or the licensing server.
2) The recommended solution in untrusted environment is using the licensing server. When using the licensing server (correctly ;)), there are no passwords stored on end-user machines, only on the server. There are no passwords being sent over the local network. The password is only sent from licensing server to our server, using standard HTTPS encryption, which is impossible to intercept without having access to the server or launching a very sophisticated man-in-the-middle attack.
3) Password is stored in plain text only when using the activation via CoronaActivation.txt file. If you input the login in 3ds Max activation dialog, it will get saved to HDD in encrypted form (which is still breakable! - see #1)
4) Even when using CoronaActivation.txt, you can delete the file after initial activation - the login will then be stored in breakable, but encrypted form (same as #3), and automatic extensions of the license will work
5) You cannot lock somebody out of his account without breaking into his email - since all passwords can be reset via emailed link.
6) You cannot order new stuff after breaking int somebody's account. You can only cancel his subscriptions (Corona will still work for the period that was already paid for)
-
You are still missing the point. It's not about encrypting it so it's unbreakable. It's just about making it non human readable, so that anyone can not simply go to the folder, open the file and read login mail and password.
-
read #4 again
-
That doesn't change anything on the fact login details should not be exposed anytime anywhere. The activation takes a while, before max starts up and reads the licence. Someone on the right place at the right moment can still take advantage of it.
It's kind of similar excude nVidia had when raysat.exe vulnerability was discovered. They just said "Sure, that's by design, and it's up to you to keep your network safe."
-
The communication with server cannot be intercepted in this mode either.
Why is it impossible to just activate Corona on a machine, deleting the file, and THEN letting your interns sit in front of that computer? What better solution would you propose? You need to input the password at some point somewhere. Pre-hashing or generating activation tokens would not help - then these tokens could be stolen instead of the password. I just dont see the problem here, there are plenty of ways to avoid it
-
4) Even when using CoronaActivation.txt, you can delete the file after initial activation - the login will then be stored in breakable, but encrypted form (same as #3), and automatic extensions of the license will work
That's something I didn't know. Good that this information got added to the helpdesk article. Already fixes most of the problems. So the only place where unencrypted information is stored is the lic server. It's my personal opinion but I find it a good habit to store data like that encrypted, I also don't know any other license server application which does it any way else (which doesn't mean there aren't any).
My suggestion would be to just add a way to add credentials via the licserver and 2 textboxes, info gets stored encrypted, no manual .txt file generation necessary.
Combined with a way to manage multiple user accounts and information about used lics it's all fine
-
The communication with server cannot be intercepted in this mode either.
Why is it impossible to just activate Corona on a machine, deleting the file, and THEN letting your interns sit in front of that computer? What better solution would you propose? You need to input the password at some point somewhere. Pre-hashing or generating activation tokens would not help - then these tokens could be stolen instead of the password. I just dont see the problem here, there are plenty of ways to avoid it
Yes, one can steal the token, but best they can do is to use the token to activate licence on their computer. 99% of people then can not extract the password and mail out of it, and use it to login into customer area.